The names, Social Security numbers and driver’s license numbers of more than 12,000 online student applicants at York Technical College might have been exposed, school officials said Tuesday.
And it was one of the applicants who discovered the problem and brought it to the college’s attention.
An online admissions system used from January 2012 to April 2013 was at risk, officials said. The college has shut down the system, they said, and no other computer systems were affected.
The school said it has no evidence of any “malicious access.”
York Tech has notified the applicants of the exposure. A letter to applicants contains steps that can be taken to protect their personal information and obtain one year of free crediting monitoring services.
A new online admissions system is being developed, college officials said, and should be in place by Friday, followed by a “more robust” system scheduled for use in the fall.
York Tech has hired a security consultant to evaluate the old online system and recommend any additional safeguards.
The cost of hiring the consultant, paying for credit monitoring and providing other services could reach $100,000, which would come from the college’s contingency fund.
York Tech President Greg Rutherford said the applicant who discovered the problem used a computer tool that would allow him to make changes to the online system and “potentially view data.”
The applicant contacted the college April 16 about the vulnerability.
Rutherford declined to release the person’s name, saying he was not a college employee or a current student. He said the person, who he identified as someone experienced in information technology, wants to come to York Tech to add to his computer certification, possibly this summer or fall.
The online application system was developed internally by York Tech and has been in use since 2005, Rutherford said. The school selected January 2012 as the earliest notification because the system had been purged of data before then.
York Tech has notified the state Department of Consumer Affairs about the problem. Since there is no evidence of criminal activity, Rutherford said, no law enforcement agencies have been notified.
York Tech problems were vastly different from the breach experienced by the state Department of Revenue in 2012, Rutherford said, which was the largest hacking of a state agency.
There is no evidence any York Tech data has been accessed or illegally used, he said.
The cyber-thief who hacked into the Revenue Department’s computer servers last September took unencrypted data from 3.8 million individual filers and 700,000 businesses. The information included Social Security numbers and credit and debit card numbers for 387,000 returns.